Designing an AWS cloud infrastructure
- Create a Network Architecture (VPC) with private and public subnets
- Create an app server using EC2 Instances
- Define network security rules and Manage encryption keys
- Perform security tests on the networks and app servers
AWS EC2 Diagram
Create a VPC
VpcCIDR:
Default: 192.168.0.0/24
Description: IP range CIDR VPC
Type: String
Create a subnets 1
PublicSubnet1CIDR:
Default: 192.168.0.0/26
Description: PublicSubnet1
Type: String
Create a subnets 2
PublicSubnet2CIDR:
Default: 192.168.0.64/26
Description: PublicSubnet2
Type: String
Create a subnets 3
PrivateSubnet1CIDR:
Default: 192.168.0.128/26
Description: PrivateSubnet3
Type: String
Create a subnets 4
PrivateSubnet2CIDR:
Default: 192.168.0.192/26
Description: PrivateSubnet4
Type: String
Create a Public Route
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: InternetGateway
Create a Private Route
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NATGateway
Create a Internet Gateways
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: work-internet-gateway
Create a NAT Gateways
NatGateway1EIP:
Type: AWS::EC2::EIP
Properties:
Domain: VPC
Tags:
- key: Name
Value: EIP1
Create a Security Group to connect a Public Route
BastionSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion-SG
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: Bastion-Security-Group
VpcId: !Ref VPC-work
Create a Security Group to connect a Private Route
EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2-SG
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 192.168.0.0/26
Tags:
- Key: Name
Value: EC2 Security Group
VpcId: !Ref VPC-work
Create a Keypairs to connect a Public Route and Private Route
KeyPair:
Type: AWS::EC2::KeyPair
Properties:
KeyName: Private-key
VPC Resource map
Create a EC2 Instance 1 with OS Linux to connect a subnets 1
EC2Instance1:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0a481e6d13af82399
KeyName: Private-key
SecurityGroupIds:
- !Ref BastionSecurityGroup
NAT Gateways to connect a subnets 2
Create a EC2 Instance 2 with OS Centos to connect a subnets 3
EC2Instance2:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0fe93f7207572df7a
KeyName: Private-key
SecurityGroupIds:
- !Ref EC2SecurityGroup
Create a EC2 Instance 3 with OS Ubuntu to connect a subnets 4
EC2Instance3:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0df7a207adb9748c7
KeyName: Private-key
SecurityGroupIds:
- !Ref EC2SecurityGroup
Security testing on EC2 Instance 1 [Public IP] to EC2 Instance 3 [Private IP]
Open app PuTTY set up IP and Kaypair using EC2 Instance 1 Public IP 13.228.170.156
Start by login
$ ec2-user
Connect to EC2 Instance 3 Private IP 192.168.0.207
$ ssh ec2-user@192.168.0.207
Allow connection by typing [Yes]
Create a new file .pem and copy code Private-key.pem paste on new file
and press the button [:wq] save and exit vi
$ vi newkey.pem
$ chmod400 newkey.pem
Connect EC2 Instance 3 Private IP
$ ssh -i newkey.pem ec2-user@192.168.0.207
Test Update OS Ubuntu on EC2 Instance 3
Note:
Can’t access EC2 Instance 3 directly, must go through EC2 Instance 1 first.